@Hollander:

So, Bill: is there perhaps a way to apply the settings from LAN to VLANx via a script in the CLI?

Bye  :P

Yes, this is technically possible, but the developers were not keen on the idea so I did not include it.  All of the settings for an interface are stored as XML data in the /conf/config.xml file on the firewall.  If you study that file and know XML, you can pretty quickly see how things work.  Just find the section for Packages and then Suricata (or Snort).  Each configured Suricata interface has its own sub-section in the file.  Copying one sub-section over to another, and adjusting for interface names and a couple of other interface-unique parameters is all that is required.

Bill

@dmitripr:

… Based on the topic I link in my second message, looks like the blocked hosts are removed when filter is reset -- which would happen at reboot. That's outside of Snort's control.

Thanks for the message, though!

Correct.  On a reboot all of the pf tables are cleared, including the <snor2c>table utilized by Snort.

Bill</snor2c>

I don't know of anything that would remove the CRON package after it was installed. Only thing, i could see is if you did a Restore of a Previous Configuration which rolled it back to before CRON was installed.

You can use Squid's Traffic Mgmt tab to throttle particular extensions.  Set Per-host throttling to 2000 (KB), Throttle only specific extensions checked, and your list of extensions in Throttle other extensions

I follow your post to install rsyslog on pfsense .
But while I am restarting my machine the /etc/syslog.conf file restored to previous file that is one before installation of rsyslog.

I suspect it was your browser cache.  I've seen this exact problem myself more than once, and a ctrl-F5 always fixed it.  You get the error page, hit F5 and see the same error page, hit ctrl-F5 and there it is.  It's weird like that, but you just remember the glitch if you do a lot of installs.

Run a Lightsquid report and see what your Hit% is after a week or so of normal usage for your cafe.  That will tell you how effective Squid is being about caching content and saving bandwidth.

@Cino:

Noticed something else this morning, the cron job that removes IPs from snort2c seems to disappears after a reboot. I have to go to into the global tab and save it so the job is recreated.

EDIT: Nevermind… Its not because of a reboot... When I make changes to snort, it removes the cron job because I deactivated blocking in snort

You can have lots of weird issues if you run both Snort and Suricata in blocking mode because for the moment they share the same pf table (the snort2c table).

Bill

@cyber7:

To the pfSense Developers.  PLEASE STOP BREAKING THE WIDESCREEN ABILITY!

It has never been broken intentionally. We can't hold back the base system because some unofficial and unsupported patch might break, especially when security and similar fixes are required. The original creator of the patch or someone with the skills to update it would have to keep up with the code changes in the base system. If someone wants to maintain the patch and bring it up to a current version, others may appreciate it, but if we wanted the patch in the base system for 2.1.x it would have been officially accepted there long ago.

There is a widescreen theme in 2.2, and 2.2 is moving along, almost to BETA. That's the only place that officially contains widescreen support. Anything else only works by luck/chance.

If it bothers you that much, put up a bounty to have someone fix the widescreen patch or fix it yourself for others to use.

I had to go here to get the full details:

http://wiki.squid-cache.org/SquidFaq/WindowsUpdate

not 100% it is actually working as intended with those recommendations as lightsquid logs are not totally clear as to whom is getting a hit on the cache for updates… so ya.  maybe that will help you some.

Using Squid and SquidGuard, go to Services - Proxy filter.  Click the Target categories tab and add a new one.  Give it a name and add your allowed domains to the Domain List.  Click Save.  Go to the Common ACL tab and click the green arrow button to expand the Target Rules List.  Make sure your Target category is listed at the top and its access is set to allow.  Underneath that (because the rules are processed in order from top down) make sure that Default access [all] is set to deny.  Set your Proxy Denied Error, Redirect mode, and Redirect info to whatever you need.  Click Save.  Go to the General settings tab.  Click Save, then click Apply.

@Cino:

@Trel:

I turned on packet logging for an interface to test with, but I can't find where to actually access those logs.

I kept getting the "Suspicious User Agent" alert so I wanted to look at the packets to see what actually it's flagging.

i get a ton of them, mostly false positives for me but look here /var/log/suricata/suricata_'interface id'

Based on the port being used and the  machine it's coming from, I'm fairly certain I know what's triggering it

and if I'm reading the rule right: http://doc.emergingthreats.net/bin/view/Main/2001891

That's being triggered by "3a" or " agent" being in the user agent?

My unbound runs OK. (2.1.x, x64)
Have you tried, without the cache restoration option turned on?

With cache restoration turned on, my system reboot would take forever, because of unbound hanging/processing a maybe corrupt cache-file.

http://www.smallbusinesstech.net/more-complicated-instructions/nagios/setting-up-nagios-on-a-debian-server-to-remotely-monitor-an-untangle-server

define service{
        use                            generic-service       
        host_name                      pfsense
        service_description          Current Load
        check_command check_nrpe_1arg!check_load
}

http://en.wikipedia.org/wiki/Snort_(software)

https://doc.pfsense.org/index.php/Setup_Snort_Package

https://forum.pfsense.org/index.php?topic=61018.0

I don't use Dansguardian, so I am not sure if you have to configure SARG for either Dansguardian or Squid. You probably don't want to configure it for both.

My guess, is that your configuration is correct now, cause you have an index that shows up and the realtime works.

If you look under:

Services - Proxy: Log rotate (this setting will conflict with SARG)
Status - SARG Reports - Schedule - Schedule Options - Action after sarg

From what I read, you should leave Squid to not rotate logs at all and have SARG do it instead.

Or you can modify the CRON job for SARG so it runs right before Squid rotates logs.

If you leave Squid rotating logs, what happens is that at midnight, it will restart and zero out the acess.log, so when SARG tries to read the access.log it will be empty, producing a blank report.

You can test your configuration by going ahead and opening up the SARG schedule and clicking Force update now. Then check Status - System Logs and it should show any errors if SARG is having an issue.

If it works, you should see updated reports.